In all the talk and commentary about the EU-US Privacy Shield, what often gets lost is the one issue that is of primary importance to US businesses – what do US companies actually need to do to self-certify to the Shield?
With that in mind, we have sought to digest the 128 pages of Privacy Shield documentation and produce a condensed checklist of what the Shield requires from a practical standpoint.

Following two years of intense negotiation between the European Commission and the US Department of State, the European Commission finally adopted its updated Adequacy Decision on the EU-U.S. Privacy Shield ("Privacy Shield") on 12 July 2016. This amends the draft decision published on 29 February 2016. The Adequacy Decision is based on the political agreement that was reached by the EU and US on 2 February 2016, and intended to replace the Safe Harbor Framework that was invalidated by the Court of Justice of the European Union ("CJEU") on 6 October 2015.

It is a little over six months since the Schrems decision which invalidated the Safe Harbor Agreement. During this time the EU and US have negotiated the EU-US Privacy Shield. How adequate is the level of protection for the transfer of personal data proposed by this alternative transatlantic regime? Yesterday the Article 29 Working Party expressed its concerns.

So it’s here! Yesterday, the European Commission published the suite of documents that comprise Safe Harbor’s replacement – the EU-US Privacy Shield. Documents available here. Over the intervening day or so, blogs everywhere have described what the Privacy Shield is (and we’ll get to that too), but many have missed perhaps the most important point: is it any good?

It’s a daunting task. You’re the newly appointed data privacy person in your organisation - either because you applied for the role or because someone “volunteered” you for it - and now you have to build out a data protection compliance program. Worldwide. From scratch. What do you do?